Method and apparatus for establishing a key agreement protocol

ABSTRACT

A system and method for generating a secret key to facilitate secure communications between users. A first and second and a function between the two monoids are selected, the function being a monoid homomorphism. A group and a group action of the group on the first monoid is selected. Each user is assigned a submonoid of the first monoid so that these submonoids satisfy a special symmetry property determined by the function, a structure of the first and second monoids, and the action of the group. A multiplication of an element in the second monoid and an element in the first monoid is obtained by combining the group action and the monoid homomorphism. First and second users choose private keys which are sequences of elements in their respective submonoids. A first result is obtained by multiplying an identity element by the first element of the sequence in a respective submonoid. Starting with the first result, each element of the user&#39;s private key may be iteratively multiplied by the previous result to produce a public key. Public keys are exchanged between first and second users. Each user&#39;s private key may be iteratively multiplied by the other user&#39;s public key to produce a secret key. Secure communication may then occur between the first and second user using the secret key.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to cryptography and, more particularly, to asystem and method for facilitating cryptographic applications.

2. Description of the Prior Art

Key Agreement Protocols

It is sometimes desirable for individuals to be able to communicate witheach other in a way in which third parties are unable to listen to thecommunication. A simple way for these individuals to communicate is tohave the communications themselves proceed in private. For example ifparty A and party B desire to communicate in a way which will not beheard by party C, A and B can simply meet at a designated locationunknown to C. Similarly, A and B can set up a designated communicationline between them which excludes C. Such communication lines areexpensive and inconvenient especially if A and B are geographically farapart from one another.

A first approach to facilitating private communications between A and Bis to give A and B a secret key that may be used to encrypt and/ordecrypt messages sent between A and B. If C does not know what the keyis, it may be very difficult for C to both get a hold of a message sentbetween A and B and try to understand it. However, giving A and B such akey is also cumbersome, expensive and time consuming. Issues to beaddressed include secretly transmitting such a key to A and B andgenerating a new key each time two individuals need to communicate.Also, if C does ascertain the secret key, then all communicationsbetween A and B can be decrypted and read by C.

Another approach for facilitating private communications between A and Bis to assign A and B secret mathematical functions ƒ_(a), ƒ_(b)respectively. The functions ƒ_(a) and ƒ_(b) are chosen from a set offunctions, S, all of whose elements are designed so as to becommutative: applying ƒ_(a) followed by ƒ_(b) yields the same result asapplying ƒ_(b) followed by ƒ_(a) (i. e., given an element x,ƒ_(a)(ƒ_(b)(x))=ƒ_(b)(ƒ_(a)(x))). Assuming the element x is known byboth A and B, A can then send ƒ_(a)(x) to B, and B can send ƒ_(b)(x) toA over public channels. The secret key that can be evaluated and sharedby both A and B is then, ƒ_(a)(ƒ_(b)(x))=ƒ_(b)(ƒ_(a)(x)). To insure thatthe system is secure (from an adversary C who knows x and can listen toall communication between A and B) it is necessary that the functionsƒ_(a) and ƒ_(b) satisfy the following property: given the value ƒ_(a)(x)(respectively ƒ_(b)(x)) it is computationally difficult to determine thefunction ƒ_(a) (respectively ƒ_(b)). This is called the generalDiffie-Hellman key agreement protocol.

Many specific instances of the general Diffie-Hellman protocol forsending secure communications between A and B are known in the prior art(see Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone,“Handbook of Applied Cryptography,” CRC Press (1997)). They all differby their choice of the set of functions. The original Diffie-Hellman keyagreement protocol is an example of the above described techniques (seeW. Diffie and M. E. Hellman, “New directions in cryptography,” IEEETransaction on Information Theory, vol. IT 22 (November 1976), pp.644-654). Using an algorithm like the one first introduced byDiffie-Hellman, parties A and B can obtain a common shared secret bycommunicating over a public channel. The security of the system, in thisinstance, rests on the computational difficulty of computing discretelogarithms in the multiplicative group of the finite field. In moregeneral cases the security is based on the notion of a one-way function.A function ƒ from a set X to a set Y is termed one-way if ƒ(x) is easyto compute for all x εX but for essentially all elements y it iscomputationally difficult to find xεX such that ƒ(x)=y. To date adiverse array of mathematical techniques (including geometric andalgebraic ones), have been used to create systems for securecommunication whose security is based on one-way functions.

A problem with some of the prior art algorithms, is that most of themrely on a cost-risk analysis when generating the one-way function. Thatis, in order to produce a more complex and more difficult to determinesecret key, each party would need to spend more time in generating sucha key and may need to invest in more expensive devices. With rapidlyevolving technologies, implementing the current algorithms in acryptographically secure manner is becoming difficult. Furthermore,there are instances of resource limited devices where current algorithmsare difficult to implement. Thus, there is a need in the art for asystem and method which can produce a secure key relatively quickly andwithout employing expensive devices.

SUMMARY OF THE INVENTION

An aspect of the invention is a method for securing communications froma user. The method comprises selecting a first monoid, selecting asecond monoid and selecting a function, the function being a monoidhomomorphism that maps the first monoid to the second monoid. The methodfurther comprises selecting a group, selecting an action of the group onthe first monoid, and determining a semi-direct product of the firstmonoid and the group to produce a third monoid. The method furthercomprises selecting a first and second submonoid of the third monoid, apair of the first and second submonoids satisfying a criterion, thefirst submonoid being defined by a first set of generators, wherein thecriterion satisfies a property determined by the function, a structureof the first and second monoids, and the action. The method stillfurther comprises selecting a plurality of generators of the first setof generators to produce a private key.

Another aspect of the invention is a method for securing communicationsfrom a user. The method comprises receiving a first submonoid, the firstsubmonoid being produced by selecting a first monoid, selecting a secondmonoid, selecting a function, the function being a monoid homomorphismthat maps the first monoid to the second monoid, selecting a group,selecting an action of the group on the first monoid, determining asemi-direct product of the first monoid and the group to produce a thirdmonoid, selecting a first and second submonoid of the third monoid, thepair of the first and second submonoids satisfying a criterion, thefirst submonoid being defined by a first set of generators, thecriterion satisfying a property determined by the function, a structureof the first and second monoids, and the action. The method furthercomprising selecting a plurality of generators of the first set ofgenerators to produce a private key. The method still further comprisingapplying the second component of an identity on a non-group component ofa first generator of the private key to produce a result, wherein theidentity comprises a first component, the first component being anidentity of the second monoid, and the identity comprises a secondcomponent, the second component being an identity of the group. Themethod still further comprising applying the function to the result toproduce a first modified result, multiplying the first component of theidentity by the modified result to produce a first further modifiedresult, multiplying the second component of the identity with a groupcomponent of the first generator to produce a first still furthermodified result, and combining the first further modified result withthe first still further modified result to produce a public key.

Still another aspect of the invention is a method for securingcommunications among two users. The method comprises selecting a firstmonoid, selecting a second monoid, and selecting a function, thefunction being a monoid homomorphism that maps the first monoid to thesecond monoid. The method further comprising selecting a group,selecting an action of the group on the first monoid, and determining afirst semi-direct product of the first monoid and the group to produce athird monoid. The method still further comprising selecting a first andsecond submonoid of the third monoid, a pair of the first and secondsubmonoids satisfying a criterion, the first submonoid being defined bya first set of generators, the second submonoid being defined by asecond set of generators, the criterion satisfying a property determinedby the function, a structure of the first and second monoids, and theaction. The method further comprising at a first user, receiving thefirst submonoid, selecting a plurality of generators of the first set ofgenerators to produce a first private key, and applying the secondcomponent of an identity on a non-group component of a first generatorof the first private key to produce a first result, wherein the identitycomprises a first component, the first component being an identity ofthe second monoid, and the identity comprises a second component, thesecond component being an identity of the group. The method furthercomprising at the first user applying the function to the first resultto produce a first modified result, multiplying the first component ofthe identity by the modified result to produce a first further modifiedresult, multiplying the second component of the identity with a groupcomponent of the first generator of the first private key to produce afirst still further modified result, and combining the first furthermodified result with the first still further modified result to producea first public key. The method still further comprising at the firstuser a. applying a group component of the first public key on anon-group component of a second generator of the first private key toproduce a second result, b. applying the function to the second resultto produce a second modified result, c. multiplying a non-groupcomponent of the first public key by the second modified result toproduce a second further modified result, d. multiplying the groupcomponent of the first public key with a group component of the secondgenerator of the private key to produce second still further modifiedresult; and e. combining the first further modified result with thesecond still further modified result to produce a second public key. Themethod further. comprising at a second user receiving the secondsubmonoid, selecting a plurality of generators of the second set ofgenerators to produce a second private key, applying the secondcomponent of the identity on a non-group component of a first generatorof the second private key to produce a third result, applying thefunction to the third result to produce a third modified result,multiplying the first component of the identity by the third modifiedresult to produce a third further modified result, multiplying thesecond component of the identity with a group component of the firstgenerator of the second private key to produce a third still furthermodified result. and combining the third further modified result withthe third still further modified result to produce a third public key.The method still further comprising at the second user f. applying agroup component of the third public key on a non-group component of asecond generator of the second private key to produce a fourth result,g. applying the function to the fourth result to produce a fourthmodified result, h. multiplying a non-group component of the thirdpublic key by the fourth modified result to produce a fourth furthermodified result, i. multiplying the group component of the third publickey with a group component of the second generator of the second privatekey to produce a fourth still further modified result; and j. combiningthe fourth further modified result with the fourth still furthermodified result to produce a fourth public key.

Yet still another aspect of the invention is a transmitter comprising amemory including a first submonoid, the first submonoid being producedby selecting a first monoid, selecting a second monoid, selecting afunction, the function being a monoid homomorphism that maps the firstmonoid to the second monoid, selecting a group, selecting an action ofthe group on the first monoid; determining a semi-direct product of thefirst monoid and the group to produce a third monoid, selecting a firstand second submonoid of the third monoid, the pair of the first andsecond submonoids satisfying a criterion, the first submonoid beingdefined by a first set of generators; the criterion satisfying aproperty determined by the function, a structure of the first and secondmonoids, and the action. The transmitter further comprising a processorwherein the processor is effective to select a plurality of generatorsof the first set of generators to produce a private key. The processoris further effective to apply the second component of an identity on anon-group component of a first generator of the private key to produce aresult, wherein the identity comprises a first component, the firstcomponent being an identity of the second monoid, and the identitycomprises a second component, the second component being an identity ofthe group. The processor is further effective to apply the function tothe result to produce a first modified result. The processor iseffective to multiply the first component of the identity by themodified result to produce a first further modified result. Theprocessor is effective to multiply the second component of the identitywith a group component of the first generator to produce a first stillfurther modified result; and the processor is effective to combine thefirst further modified result with the first still further modifiedresult to produce a first public key. The processor is effective to a.apply a group component of the first public key on a non-group componentof a second generator of the private key to produce a second result, b.apply the function to the second result to produce a second modifiedresult, c. multiply a non-group component of the first public key by thesecond modified result to produce a second further modified result, d.multiply the group component of the first public key with a groupcomponent of the second generator of the private key to produce secondstill further modified result, and e. combine the first further modifiedresult with the second still further modified result to produce a secondpublic key.

Still another aspect of the invention is a system for securingcommunications between users. The system comprises a communicationscenter, the communications center effective to select a first monoid,select a second monoid, select a function, the function being a monoidhomomorphism that maps the first monoid to the second monoid, select agroup, and select an action of the group on the first monoid. Thecommunications center further effective to determine a first semi-directproduct of the first monoid and the group to produce a third monoid; andselect a first and second submonoid of the third monoid, a pair of thefirst and second submonoids satisfying a criterion, the first submonoidbeing defined by a first set of generators, the second submonoid beingdefined by a second set of generators, the criterion satisfying aproperty determined by the function, a structure of the first and secondmonoids, and the action. The system further comprising a firsttransmitter comprising a memory including the first submonoid and afirst processor. The first processor effective to select a plurality ofgenerators of the first set of generators to produce a first private keyand apply the second component of an identity on a non-group componentof a first generator of the first private key to produce a first result,wherein the identity comprises a first component, the first componentbeing an identity of the second monoid, and the identity comprises asecond component, the second component being an identity of the group.The first processor further effective to apply the function to the firstresult to produce a first modified result, multiply the first componentof the identity by the modified result to produce a first furthermodified result, multiply the second component of the identity with agroup component of the first generator to produce a first still furthermodified result and combine the first further modified result with thefirst still further modified result to produce a first public key. Thefirst processor is further effective to a. apply a group component ofthe first public key on a non-group component of a second generator ofthe private key to produce a second result, b. apply the function to thesecond result to produce a second modified result, c. multiply anon-group component of the first public key by the second modifiedresult to produce a second further modified result, d. multiply thegroup component of the first public key with a group component of thesecond generator of the first private key to produce second stillfurther modified result; and e. combine the first further modifiedresult with the second still further modified result to produce a secondpublic key. The system further comprises a second transmitter comprisinga memory including the second submonoid and a second processor. Thesecond processor effective to select a plurality of generators of thesecond set of generators to produce a second private key, apply thesecond component of the identity on a non-group component of a firstgenerator of the second private key to produce a third result, apply thefunction to the third result to produce a third modified result, andmultiply the first component of the identity by the third modifiedresult to produce a third further modified result. The second processorfurther effective to multiply the second component of the identity witha group component of the second generator to produce a third stillfurther modified result and combine the third further modified resultwith the third still further modified result to produce a third publickey. The second processor is further effective to f. apply a groupcomponent of the third public key on a non-group component of a secondgenerator of the second private key to produce a fourth result, g. applythe function to the fourth result to produce a fourth modified result,h. multiply a non-group component of the first public key by the fourthmodified result to produce a fourth further modified result, i. multiplythe group component of the third public key with a group component ofthe second generator of the second private key to produce fourth stillfurther modified result and j. combine the fourth further modifiedresult with the fourth still further modified result to produce a fourthpublic key.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a system diagram illustrating a Π-Function module inaccordance with an embodiment of the invention.

FIG. 2 is a system diagram illustrating a S-Action module in accordancewith an embodiment of the invention.

FIG. 3 is a system diagram illustrating an E-Function module inaccordance with an embodiment of the invention.

FIG. 4 is a system diagram illustrating the operation of an E-Functioniterator module in accordance with an embodiment of the invention.

FIG. 5 is another system diagram illustrating the operation of anE-Function iterator module in accordance with an embodiment of theinvention.

FIG. 6 is a system diagram illustrating a system for determining a pairof E-commuting monoids in accordance with an embodiment of theinvention.

FIG. 7 is a system diagram illustrating a system for determining aprivate key in accordance with an embodiment of the invention.

FIG. 8 is a system diagram illustrating a system for determining apublic key in accordance with an embodiment of the invention.

FIG. 9 is a system diagram illustrating a system for determining acommon agreed upon secret key in accordance with an embodiment of theinvention.

FIG. 10 is a flow diagram illustrating a method for determining a commonagreed upon secret key and transmitting a message using that secret keyin accordance with an embodiment of the invention.

FIG. 11 is a system diagram illustrating a system for determining asecret key in accordance with an embodiment of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention introduces an algorithmically efficient one-wayfunction. The algorithm is both rapidly computable and computationallyhard to reverse. An overview in accordance with the invention isprovided in FIG. 10. Parties Alice and Bob are each in possesion of adatabase from which they form their respective private keys (Boxes 101and 102). They then proceed to produce their respective public keysbased on their respective private keys by applying an algorithm inaccordance with the invention (Boxes 103 and 104). Alice and Bob eachhave access to a respective transmitter and receiver. Alice and Bob usetheir respective transmitter and receiver to exchange their public keys.By exchanging these public keys they are each in a position to obtain acommon agreed upon secret key by letting the received public key act onthe respective user's private keys (Boxes 105 and 106). Once the sharedsecret key has been obtained, Alice can then encrypt a plaintextmessage, produce an encrypted message (Box 107), send the encryptedmessage (Box 108) to Bob, who can then decrypt the encrypted message(Box 109) to obtain Alice's plaintext message (Box 107).

Let M, N denote monoids and let S denote a group which acts on M on theleft. Given an element sεS, and an element mεM, we denote the result ofs acting on m by ^(s)m. The semidirect product of M and S, M

S is defined to be the monoid whose underlying set is M×S and whoseinternal binary operation

θ_(M)

_(S):(M×S)×(M×S)→M×S

is given by

θ_(M)

_(S):((m ₁ ,s ₁),(m ₂ ,s ₂))→(m ₁·^(s) ¹ m ₂ ,s ₁ s ₂).

Furthermore, we let N×S denote the direct product.

An algebraic eraser is specified by a 6-tuple (M

S, N, Π, E, A, B) where M

S and N are as above, A, B are user submonoids of M, H is an easilycomputable monoid homomorphism

Π:M→N,

E is a function

E:(N×S)×(M

S)→N×S

given by

E((n,s),(m ₁ s ₁))=(nΠ(^(s) m ₁),ss ₁),

and A, B are submonoids of M

S such that for all (a,s_(a))εA, (b,s_(b))εB

E((Π(a),s _(a)),(b,s _(b)))=E((Π(b),s _(b)),(a,s _(a))).

Two submonoids satisfying the above identity are termed E-Commuting.

An action of S on M does not induce an action of S on N, and givenknowledge of the elements

(n,s),E((n,s),(m ₁ ,s ₁))εN×S

it is very difficult to obtain the element (m₁,s₁)εM

S. The action of the element sεS has been effectively erased by thealgebraic eraser. A benefit lies in the efficiency of the computation ofthe function Π and the iterative nature of the method and apparatus forthe computation of the function E.

A preferred embodiment of an apparatus to perform an algebraic keyagreement protocol based on the algebraic eraser, is depicted in FIGS. 1through 11, and begins with an apparatus to compute the function Π. TheΠ-Function module 13 is responsive to the data from the Π-Functionmodule library 11, and the input element mεM from 12. The Π-Functionmodule 13 computes the element Π(m)εN.

In general a group S is said to act (on the left) on a monoid M providedthere is a homomorphism from S to the endomorphisms of M which satisfiescertain properties. Given sεS and mεM, the element s maps m to a newelement in M, denoted Sm. The required properties are

^(s)(m ₁ m ₂)=^(s) m ₁ ^(s) m ₂,¹ m=m, ^(s) ¹ ^(s) ² m= ^(s) ¹ (^(s) ²m)

Referring to FIG. 2, S-Action module 23 is responsive to the inputs sεS21 and mδM 22, and computes the image of m under the action of syielding ^(s)m as output.

An apparatus to compute the function E is depicted in FIG. 3. TheE-Function module 36 is responsive to the inputs (n,s) 31 and (m,s) 34.Given an ordered list (x,y) of two elements x,y, the first componentprojection of (x,y) outputs the first component x on the list.Similarly, the second component projection outputs the second componenty. The input (n,s), 31, is sent to the second component projectionmodule, 32 and the input (m₁,s₁) is likewise sent to a first componentprojection module, 33. The resulting elements of S and M of the firstand second component modules 32, 33 are then forwarded to the S-Actionmodule 23, yielding the element ^(s)m₁εM. This resulting element ^(s)m₁is forwarded to the Π-Function module, 13, which outputs the elementΠ(^(s)m₁). The E-Function multiplier, 35, is responsive to the input(n,s), 31, the element Π(^(s)m₁) εN, and the result of the input(m₁,s₁), 34, being entered into the second component projection module,32. The E-Function multiplier outputs the element (n Π(^(s)m₁)εN×S whichis also the output of the E-Function module 36.

The semi-direct product of M and S, denoted M

S, is defined to be the monoid whose underlying set is the directproduct M×S and whose binary operation is given by

(m ₁ ,s ₁)·(m ₂ ,s ₂)=(m ₁·^(s) ¹ m ₂ ,s ₁ s ₂).

It is noted that given an element (n,s)εN×S and two elements (m₁,s₁),(m₂,s₂) εM

S, that

E((n,s),((m ₁ ,s ₁)·(m ₂ ,s ₂)))=E(E((n,s),m ₁ ,s ₁)),(m ₂ ,s ₂)).

Hence computing the E-Function iteratively increases the system'sefficiency and speed.

FIG. 4 depicts an apparatus which may be used in performing the abovecomputation. An E-Function Iterator module 42 is responsive to the input(n,s), 31, and to the input

(m₁,s₁)), (m₂,s₂), . . . , (m_(k),s_(k))

, 41, and outputs

(nΠ(^(s) m ₁)Π(^(ss) ¹ m ₂) . . . Π(^(ss) ¹ ^(. . . s) ^(k) m _(k)),ss ₁. . . s _(k)).

A more detailed apparatus of the E-Function Iterator module 42, isdepicted in FIG. 5, begins with the input (n,s) 31 being sent to theE-Function module 36. In addition, an input

(m₁,s₁), (m₂,s₂), . . . , (m_(k),s_(k))

, 41, is sent to the choose t^(th) component module, 53, which is amodule initialized at the value t=1 and repeatedly incremented by theincrement t module, 54. The t^(th) component of the input

(m₁,s₁), (m₂,s₂), . . . , (m_(k),s_(k))

is precisely (m_(t),s_(t)) which is the output of 53 and sent to theE-Function module 36. Furthermore the value of t is sent to the decisionbox 55 which also receives the value of the E-Function (iterated t−1times up to that point). The decision box 55 determines if t=k, at whichpoint the computation stops, otherwise, the output of decision box 55becomes input 31 to the E-Function module 36 to be used as the new firstcomponent of E together with the incoming entry from choose t^(th)component module 53. The final value arrived at is given by

(n·Π(^(s) m ₁)Π(^(ss) ¹ m ₂) . . . Π(^(ss) ¹ ^(. . . s) ^(k-1) m_(k)),ss ₁ . . . s _(k))=(n·Π(^(s) m ₁)(^(ss) ¹ m ₂) . . . (^(ss) ¹^(. . . s) ^(k-1) m _(k)),ss ₁ . . . s _(k)).

Recall that two submonoids A, B are said to be E-Commuting provided

E((Π(a),s _(a)),(b,s _(b)))=E((Π(b),s _(b)),(a,s _(a)))

holds for all (a,s_(a))εA, (b,s_(b))εB. FIG. 6 illustrates an apparatuswhich may be used in choosing a pair of E-Commuting monoids, A, B whichmay be utilized in the invention. A monoid is specified by a generatingset, i.e., a subset of elements of the monoid which have the propertythat every element of the monoid can be expressed as a product of someof these generators (in some order, with repetitions allowed). TheSemidirect Product Producer 60 is responsive to the monoid M and thegroup S and produces the monoid M

S. The monoid M

S, together with the monoid N and the function Π are sent to theE—Commuting Monoid Producer 63, whose output is sent to the Pairs ofE-Commuting Monoid Library 64. A Pseudorandom Number Generator 61produces a random number α, a Chooser 62 then accesses the α^(th)element of the Pairs of E-Commuting Monoid Library 63 and outputs thepair of E-Commuting monoids A₁, B₁ which are forwarded to Alice and Bob,respectively. Additionally the pair A₁, B₁ is forwarded to the UserSubmonoid Generator Database 65.

With the apparatuses for computing the S-Action, the functions Π and Especified, and each users submonoid in place, the algebraic eraser keyagreement protocol can now be detailed. If the E-commuting monoids A₁,B₁, are privately assigned to Alice and Bob, then the inventionfunctions, for example, as a symmetric cryptosystem. If the monoid M

S possesses a large library of pairs of E-Commuting submonoids which arerecursively enumerable and whose internal algebraic structure is hiddenthen the invention can function, for example, as an asymmetriccryptosystem.

FIG. 7 illustrates a mechanism which may be used in enabling a user togenerate a private key. Focusing on Alice (Bob case is analogous) asecond Pseudorandom Number Generator 72 responsive to the input α*, 71,creates a list of integers e₁, e₂, . . . , e_(α*) where each e_(i) isgenerated in such a way that e_(i)≦number of generators of (A₁). TheSequence Encoder 73 is responsive to the list e₁, e₂, . . . , e_(α*) andthe User Submonoid Generator database 65, is responsive to the submonoidA₁. The Sequence Encoder 73 produces the list of the user generators(m_(e) ₁ ,s_(e) ₁ ), (m_(e) ₂ ,s_(e) ₂ ), . . . , (m_(e) _(α*) ,s_(e)_(a*) ) out of the generating set of A₁. The Private Key Generator 74 isresponsive to Encoder 73 and produces the user private key

M _(A)

=

(m _(e) ₁ ,s _(e) ₁ ),(m _(e) ₂ ,s _(e) ₂ ), . . . ,(m _(e) _(α*) ,s_(e) _(α*) )

which is sent to a memory 75. It should be observed that the product ofthe elements, denoted (M_(A),s_(A)),

(M_(A), s_(A)) = (m_(e₁), s_(e₁)) ⋅ (m_(e₂), s_(e₂))  …  (m_(e_(α^(⋆))), s_(e_(α^(⋆)))) = ((m_(e₁))(^(s₁)m_(e₂))  …  (^(s₁…s_(α^(⋆) − 1))m_(e_(α^(⋆)))), s_(e₁  )…  s_(e_(α^(⋆))))

is an element of the submonoid A₁ ⊂M

S, but need not be computed explicitly for key agreement.

Now that Alice and Bob have chosen their respective user private keys,FIG. 8 depicts the apparatus which may be used in computing the userpublic keys. The E-Function Iterator module 42 is responsive to theinput

(m_(e) ₁ ,s_(e) ₁ ), (m_(e) ₂ ,s_(e) ₂ ), . . . , (m_(e) _(α*) ,s_(e)_(α*) )

, 81 and the element

(1_(N),1_(S))=(identity_(N),identity_(S))εN×S,

which is the identity of the monoid N in the first component and theidentity of S in the second component. The E-Function Iterator module 42produces the User Public Key

$\begin{matrix}{\left( {N_{A},s_{A}} \right) = {{E\left( {\left( {1_{N},1_{S}} \right),\left( {M_{A},s_{A}} \right)} \right)} =}} \\{\left( {\left( {{\Pi \left( m_{e_{1}} \right)}{\Pi \left( {}^{s_{1}}m_{e_{2}} \right)}\mspace{14mu} \ldots \mspace{14mu} {\Pi \left( {}^{s_{1}{\ldots s}_{\alpha^{\star} - 1}}m_{e_{\alpha^{\star}}} \right)}} \right),{s_{e_{1}}\mspace{14mu} \ldots \mspace{11mu} s_{e_{\alpha^{\star}}}}} \right)} \\{= {\left( {{\Pi \left( {\left( m_{e_{1}} \right)\left( {}^{s_{1}}m_{e_{2}} \right)\mspace{14mu} \ldots \mspace{11mu} \left( {}^{s_{1}{\ldots s}_{a^{\star} - 1}}m_{e_{\alpha^{\star}}} \right)} \right)},{s_{e_{1}}\mspace{11mu} \ldots \mspace{11mu} s_{e_{\alpha^{\star}}}}} \right) =}} \\{{\left( {{\Pi \left( M_{A} \right)},s_{A}} \right),}}\end{matrix}$

which is sent to memory 83.

At this point Alice has the public key (N_(A),s_(A)) and private key(M_(A)), Bob has public key (N_(B),s_(B)) and private key (M_(B)), andthey are now in a position to utilize the apparatus depicted in FIG. 9to obtain a common agreed upon secret key. Alice transmits her publickey (N_(A),s_(A)) input 91 via the transmitter/receiver 93, and likewiseBob transmits his public key (N_(B),s_(B)) input 92 via thetransmitter/receiver 94. The received public keys together with the eachusers private keys are then forwarded to the respective E-FunctionIterator modules 42 a, 42 b, to yield

(N _(B)Π(^(s) ^(B) M _(A)),s _(B) s _(A))=E((N _(B) ,s _(B)),(M _(A) ,s_(A)))=E((Π(M _(B)),s _(B)),(M _(A) ,s _(A)))

(N _(A)Π(^(s) ^(A) M _(B)),s _(A) s _(B))=E((N _(A) ,s _(A)),(M _(B) ,s_(B)))=E((Π(M _(A)),s _(A)),(M _(B) ,s _(B)))

Since (M_(A),s_(A)) and (M_(B),s_(B)) are contained in the submonoidsA₁, B₁ respectively, the original assumptions regarding the structure ofthe algebraic eraser imply that the above elements of N×S are equal andcan serve as the common agreed upon secret key, 97.

The above key agreement protocol can be enhanced by combining it withthe Diffie-Hellman protocol described in the prior art. One suchcombination is given as follows. Referring to FIG. 8, replace input 82by the element (K_(A), identity_(S)) (for Alice) and (K_(B),identity_(S)) (for Bob) where K_(A), K_(B)εN are additional private keyschosen so that they commute. The public keys for Alice and Bob are,E((K_(A), identity_(S)), (M_(A),s_(A))), E((K_(B), identity_(S)),(M_(B),s_(B))), respectively. In this variation of the key agreementprotocol, the common agreed upon secret key is given by

E((K _(A) K _(B)·Π(M _(B)),s _(B)),(M _(A) ,s _(A)))=E((K _(B) K_(A)·Π(M _(A)),s _(A)),(M _(B) ,s _(B))).

Referring now to FIG. 11, there is shown a system 1130 which could beused in accordance with an embodiment of the invention. System 1130includes a first transmitter/receiver 1102 a and a secondtransmitter/receiver 1102 b. Transmitters/receivers 1102 a and 1102 bcould be, for example, readers and tags in an RF-ID system.Transmitters/receivers 1102 and 1102 b may, for example, generateinformation, receive information, or modulate received information totransmit other information.

Transmitter/receiver 1102 a includes a memory 1104 a, a processor 1110a, an action module 1112 a, a Π-Function module 1108 a an E-functionmultiplier 1106 a and an antenna 1114 a. Similarly, transmitter/receiver1102 b includes a memory 1104 b, a processor 1110 b, an action module1112 b, a Π-Function module 1108 b, an E-function multiplier 1106 b andan antenna 1114 b. Action modules 1112 a and 1112 b could be, forexample, S-action module 23 discussed above. Π-Function modules 1108 aand 1108 b could be, for example, Π-Function module 13 discussed above.E-Function multipliers 1106 a and 1106 b could be E-Function multipliers35 as described above.

Memories 1104 a and 1104 b each include monoids N and M, group S andfunction Π which all could be determined using, for example, thealgorithms discussed above. Memory 1104 a further includes a submonoid Aand memory 1104 b further includes a submonoid B. Submonoids A and B maybe determined as discussed above. For example, a semi-direct product ofS and M may be determined. A and B may then be E-commuting submonoids ofthis semi-direct product. Monoids M and N, group S, function Π andsubmonoids A and B may all be determined by a communications center 1132in communication with a database 1134. Communications center 1132 mayforward monoids M and N, group S, function Π and submonoids A and B totransmitter/receivers 1102 a, 1102 b using, for example an antenna 1136.Alternatively, monoids M and N, group S, function Π and submonoids A andB, may be stored in memories 1104 a, 1104 of transmitter/receives 1102a, 1102 b respectively, when the respective devices are manufactured.

In operation, processors 1110 a and 1110 b each select generators ofmonoids A and B, respectively. The selection could be, for example,through the use a pseudo-random number generators 1120 a, 1120 b.Processor 1110 a then orders the generators to produce a private key1118 a for transmitter/receiver 1102 a.

Processor 1110 a then forwards private key 1118 a and an identityelement 1122 a to action module 1112 a, Π-Function module 1108 a andE-Function multiplier 1106 a to produce a public key 1122 a fortransmitter/receiver 1102 a. Identity element 1122 a includes a firstcomponent which is the identity of monoid N and a second component whichis the identity of group S. The process through action module 1112 a,Π-Function module 1108 a and E-Function multiplier 1106 a may beperformed iteratively for each generator in private key 1118 a.

Similarly, processor 1110 b orders generators of monoid B to produce aprivate key 1118 b for transmitter/receiver 1102 b. Processor 1110 bthen forwards private key 1118 b and an identity element 1122 b toaction module 1112 b, Π-Function module 1108 b and E-Function multiplier1106 b to produce a public key 1122 b for transmitter/receiver 1102 b.Identity element 1122 b includes a first component which is the identitymonoid N and a second component which is the identity of group S. Theprocess through action module 1112 b, Π-Function module 1108 b andE-Function multiplier 1106 b may be performed iteratively for eachgenerator in private key 1118 b.

Transmitter/receivers 1102 a and 1102 b exchange their respective publickeys 1122 a, 1122 b using antennas 1114 a and 1114 b respectively over acommunication link 1128. Once the public keys 1122 a, 1122 b arereceived, a secret key may be ascertained. Focusing ontransmitter/receiver 1102 a, for example, public key 1122 b fromtransmitter/receiver 1102 b is input to action module 1112 a, Π-functionmodule 1108 a and E-Function multiplier 1106 a along with private key1118 a. Action module 1112 a, Π-Function module 1108 a, and E-Functionmultiplier 1106 a may operate on these inputs iteratively for eachgenerator in the private key from transmitter/receiver 1102 a, toproduce a secret key 1124. A similar operation is performed attransmitter/receiver 1102 b. The secret key 1124 may be then be used bytransmitter/receivers 1102 a and 1102 b to communicate securely.

While the invention has been described and illustrated in connectionwith preferred embodiments, many variations and modifications as will beevident to those skilled in this art may be made without departing fromthe spirit and scope of the invention, and the invention is thus not tobe limited to the precise details of methodology or construction setforth above as such variations and modification are intended to beincluded within the scope of the invention.

EXAMPLE

An instance of the algebraic eraser and its associated key agreementprotocol can be obtained in the case where the monoid M is chosen to bethe set of L×L matrices whose entries are rational functions withintegral coefficients in the variables {t₁, t₂, . . . , t_(κ)}, i.e.,the entries take the form

$\frac{C_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)}{D_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)}$

where 1≦i,j≦κ, and C_(ij), D_(ij) are polynomials. The group S is chosento be the symmetric group on κ symbols, denoted S_(κ). The action of theelements of sεS_(κ) on the set of variables {t₁, t₂, . . . , t_(κ)},given by

s:t _(i)

t _(s(i)),

can be extended to an action of the monoid M in a natural manner. Givenan element of M, input 22, (see FIG. 2) of the form

$\left\lbrack \frac{C_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)}{D_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)} \right\rbrack_{{1 \leq i},{j \leq \kappa}}$

and an element sεS_(κ), input 21, the result of the S_(κ)-Action module23 is the element of M given by

${s\left\lbrack \frac{C_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)}{D_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)} \right\rbrack}_{{1 \leq i},{j \leq \kappa}} = {\left\lbrack \frac{C_{ij}\left( {t_{s{(1)}},t_{s{(2)}},\ldots \mspace{11mu},t_{s{(\kappa)}}} \right)}{D_{ij}\left( {t_{s{(1)}},t_{s{(2)}},\ldots \mspace{11mu},t_{s{(\kappa)}}} \right)} \right\rbrack_{{1 \leq i},{j \leq \kappa}}.}$

Having specified the monoid M and the action of a group S on M, we fix aprime p and let the monoid N be the set of L×L matrices whose entriesare integers mod p. Then to define the homomorphism Π a set of integers(τ₁, τ₂, . . . , τ_(κ)) (mod p), is chosen and is stored in theΠ-Function module Library 11. Given an element of M, Input 12, theΠ-Function module produces the element of N given by

$\left\lbrack \frac{{C_{ij}\left( {\tau_{1},\tau_{2},\ldots \mspace{11mu},\tau_{\kappa}} \right)}{mod}\; p}{{D_{ij}\left( {\tau_{1},\tau_{2},\ldots \mspace{11mu},\tau_{\kappa}} \right)}\; {mod}\; p} \right\rbrack_{{1 \leq i},{j \leq \kappa}}.$

It is tacitly assumed that

D _(ij)(τ₁,τ₂, . . . ,τ_(κ))≢0(mod p)

which can always be arranged by appropriate selection of (τ₁, τ₂, . . ., τ_(κ)) for the situation at hand.

With the above choices in place the E-Function 13 takes the form,

${E\left( {\left( {\left\lbrack d_{ij} \right\rbrack,s} \right),\left( {\left\lbrack \frac{C_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)}{D_{ij}\left( {t_{1},t_{2},\ldots \mspace{11mu},t_{\kappa}} \right)} \right\rbrack,s_{1}} \right)} \right)} = {\left( {{\left\lbrack d_{ij} \right\rbrack \cdot \left\lbrack \frac{{C_{ij}\left( {\tau_{s{(1)}},\tau_{s{(2)}},\ldots \mspace{11mu},\tau_{s{(\kappa)}}} \right)}{mod}\; p}{{D_{ij}\left( {\tau_{s{(1)}},\tau_{s{(2)}},\ldots \mspace{11mu},\tau_{s{(\kappa)}}} \right)}{mod}\; p} \right\rbrack},{s\mspace{11mu} \ldots_{\mspace{11mu} 1}}} \right).}$

The E-Function Iterator module 42 may be evaluated via the apparatus inFIG. 5.

A method for creating the library of pairs of E-Commuting monoids willnow be specified. Each monoid in such a pair will be presented as a listof generators each of which is contained in M

S. A feature of the method is that the internal algebraic structure ofthe pairs of E-Commuting monoids is difficult to determine from thepublicly announced list of generators. Choose two sets X, Y of elementsof M, and two sets U, V of elements of S_(κ), where the followingproperties hold:

-   -   xy=yx    -   uv=vu    -   ^(v)x=x    -   ^(u)y=y,        for all xεX, yεY and uεU, vεV. There are many such choices for        the sets X, Y, U, V. In fact, the number of choices also grows        exponentially with L.

One method to specifically choose the sets X, Y, U, V is given asfollows. Partition the set {t₁, t₂, . . . , t_(κ)} into two disjointsubsets T₁, T₂ where T_(i)={t_(i) ₁ , t_(i) ₂ , . . . , t_(iκ)} for i=1,2. Correspondingly, there will exist two distinct subgroups U, V ofS_(κ), where an element of U permutes the variables in T₁ and fixes thevariables in T₂, and similarly an element of V permutes the variables inT₂ and fixes the variables in T₁. Observe that every element uεUcommutes with every element vεV. Next choose positive integers l₁ and l₂such that L=l₁+l₂+1. The matrices in X are chosen to be of the form

$\quad\begin{pmatrix}\; & \; & \; & 0 & \; & \; & \; \\\; & \mathcal{M}_{l_{1}} & \; & \vdots & \; & \; & \; \\\; & \; & \; & 0 & \; & \; & \; \\0 & \ldots & 0 & 1 & 0 & \ldots & 0 \\\; & \; & \; & 0 & 1 & \; & \; \\\; & \; & \; & \vdots & \; & \ddots & \; \\\; & \; & \; & 0 & \; & \; & 1\end{pmatrix}$

where

is an

×

matrix whose entries are rational functions in the variables T₁. Allnonspecified entries the above matrix are equal to 0. Similarly, thematrices in Y are chosen to be of the form

$\quad\begin{pmatrix}1 & \; & \; & 0 & \; & \; & \; \\\; & \ddots & \; & \vdots & \; & \; & \; \\\; & \; & 1 & 0 & \; & \; & \; \\0 & \ldots & 0 & 1 & 0 & \ldots & 0 \\\; & \; & \; & 0 & \; & \; & \; \\\; & \; & \; & \vdots & \; & \mathcal{M}_{l_{2}} & \; \\\; & \; & \; & 0 & \; & \; & \;\end{pmatrix}$

where

is an

×

matrix whose entries are rational functions in the variables T₂. It isclear that the above choices of matrices commute, and that an elementuεU acts trivially on each matrix in Y, and an element vεV actstrivially on each matrix in X.

With this done choose an invertible element (z,w)εM

S. There are many such choices for (z,w), and in fact, the number ofsuch choices grows exponentially with L. One can now define thesubmonoids as

A={(z,w)·(x,u)·(z,w)⁻¹ |xεX,uεU},

B={(z,v)·(y,u)·(z,w)⁻¹ |yεY,vεV}.

It is readily verifiable that A, B are E-Commuting monoids. Note thatthe search for (z,w) is more difficult than a standard conjugacy searchproblem because the conjugated elements are unknown.

In the key agreement protocol, there are two users, Alice and Bob, eachof whom has a public and a private key. The users proceed with a publicexchange, after which each is in a position to obtain common agreed uponsecret key which can then be used for further cryptographicapplications. The key agreement protocol begins in this example witheach user, Alice and Bob, being assigned a user submonoid A₁, and B₁,respectively, from a pair in the E-Commuting Monoid Library, 63. Eachuser, Alice and Bob, proceeds to choose a private key which is theoutput of a respective Private Key Generator 74. Each user public key isthen computed by directing the user private key, input 81 to theE-Function Iterator module 42, along with the input 82. The E-FunctionIterator module 42 allows the users to compute their respective publickeys in a novel and rapid fashion. The computations involved are 8-bitmodular arithmetic operations (addition, subtraction, multiplication,and division) and 8-bit string search and replacement. Thesecomputations can be achieved at low cost and high efficiency.

Finally, the public keys are exchanged via the transmitter/receivers 93,94. The results of this exchange, along with the users private keys, aresent to the E-Function Iterator module 42 a, 42 b, which outputs thecommon agreed upon secret key 97.

What is claimed is:
 1. A method for securing communications from a user,the method comprising: selecting a first monoid; selecting a secondmonoid; selecting a function, the function being a monoid homomorphismthat maps the first monoid to the second monoid; selecting a group;selecting an action of the group on the first monoid; determining asemi-direct product of the first monoid and the group to produce a thirdmonoid; selecting a first and second submonoid of the third monoid, apair of the first and second submonoids satisfying a criterion, thefirst submonoid being defined by a first set of generators, wherein thecriterion satisfies a property determined by the function, a structureof the first and second monoids, and the action; and selecting aplurality of generators of the first set of generators to produce aprivate key.
 2. The method as recited in claim 1, wherein the selectingthe plurality of first generators is produced using a pseudo-randomnumber generator.
 3. The method as recited in claim 1, furthercomprising: applying a second component of an identity on a non-groupcomponent of a first generator of the private key to produce a result,wherein the identity comprises a first component, the first componentbeing an identity of the second monoid, and the identity comprises asecond component, the second component being an identity of the group;applying the function to the result to produce a first modified result;multiplying the first component of the identity by the modified resultto produce a first further modified result; and multiplying the secondcomponent of the identity with a group component of the first generatorto produce a first still further modified result; and combining thefirst further modified result with the first still further modifiedresult to produce a first public key.
 4. The method as recited in claim3, further comprising a. applying a group component of the first publickey on a non-group component of a second generator of the private key toproduce a second result; b. applying the function to the second resultto produce a second modified result; c. multiplying a non-groupcomponent of the first public key by the second modified result toproduce a second further modified result; d. multiplying the groupcomponent of the first public key with a group component of the secondgenerator of the private key to produce a second still further modifiedresult; and e. combining the first further modified result with thesecond still further modified result to produce a second public key. 5.The method as recited in claim 4, further comprising repeating steps a,b, c, d and e for all generators in the private key.
 6. The method asrecited in claim 1, wherein the selecting the plurality of firstgenerators includes ordering the plurality of first generators in aparticular order.
 7. The method as recited in claim 1, furthercomprising encrypting a message using, at least in part, the privatekey.
 8. The method as recited in claim 3, further comprising encryptinga message using, at least in part, the public key.
 9. A method forsecuring communications from a user, the method comprising: receiving afirst submonoid, the first submonoid being produced by: selecting afirst monoid; selecting a second monoid; selecting a function, thefunction being a monoid homomorphism that maps the first monoid to thesecond monoid; selecting a group; selecting an action of the group onthe first monoid; and determining a semi-direct product of the firstmonoid and the group to produce a third monoid; selecting a first andsecond submonoid of the third monoid, the pair of the first and secondsubmonoids satisfying a criterion, the first submonoid being defined bya first set of generators, the criterion satisfying a propertydetermined by the function, a structure of the first and second monoids,and the action; selecting a plurality of generators of the first set ofgenerators to produce a private key; applying the second component of anidentity on a non-group component of a first generator of the privatekey to produce a result, wherein the identity comprises a firstcomponent, the first component being an identity of the second monoid,and the identity comprises a second component, the second componentbeing an identity of the group; applying the function to the result toproduce a first modified result; multiplying the first component of theidentity by the modified result to produce a first further modifiedresult; and multiplying the second component of the identity with agroup component of the first generator to produce a first still furthermodified result; and combining the first further modified result withthe first still further modified result to produce a public key.
 10. Amethod for securing communications among two users, the methodcomprising: selecting a first monoid; selecting a second monoid;selecting a function, the function being a monoid homomorphism that mapsthe first monoid to the second monoid; selecting a group; selecting anaction of the group on the first monoid; determining a first semi-directproduct of the first monoid and the group to produce a third monoid;selecting a first and second submonoid of the third monoid, a pair ofthe first and second submonoids satisfying a criterion, the firstsubmonoid being defined by a first set of generators, the secondsubmonoid being defined by a second set of generators, the criterionsatisfying a property determined by the function, a structure of thefirst and second monoids, and the action; at a first user; receiving thefirst submonoid; selecting a plurality of generators of the first set ofgenerators to produce a first private key; applying the second componentof an identity on a non-group component of a first generator of thefirst private key to produce a first result, wherein the identitycomprises a first component, the first component being an identity ofthe second monoid, and the identity comprises a second component, thesecond component being an identity of the group; applying the functionto the first result to produce a first modified result; multiplying thefirst component of the identity by the modified result to produce afirst further modified result; multiplying the second component of theidentity with a group component of the first generator of the firstprivate key to produce a first still further modified result; combiningthe first further modified result with the first still further modifiedresult to produce a first public key; a. applying a group component ofthe first public key on a non-group component of a second generator ofthe first private key to produce a second result; b. applying thefunction to the second result to produce a second modified result; c.multiplying a non-group component of the first public key by the secondmodified result to produce a second further modified result; d.multiplying the group component of the first public key with a groupcomponent of the second generator of the private key to produce secondstill further modified result; and e. combining the first furthermodified result with the second still further modified result to producea second public key; at a second user: receiving the second submonoid;selecting a plurality of generators of the second set of generators toproduce a second private key; applying the second component of theidentity on a non-group component of a first generator of the secondprivate key to produce a third result, applying the function to thethird result to produce a third modified result; multiplying the firstcomponent of the identity by the third modified result to produce athird further modified result; multiplying the second component of theidentity with a group component of the first generator of the secondprivate key to produce a third still further modified result; combiningthe third further modified result with the third still further modifiedresult to produce a third public key; f. applying a group component ofthe third public key on a non-group component of a second generator ofthe second private key to produce a fourth result; g. applying thefunction to the fourth result to produce a fourth modified result; h.multiplying a non-group component of the third public key by the fourthmodified result to produce a fourth further modified result; i.multiplying the group component of the third public key with a groupcomponent of the second generator of the second private key to produce afourth still further modified result; and j. combining the fourthfurther modified result with the fourth still further modified result toproduce a fourth public key.
 11. The method as recited in claim 10,further comprising: forwarding the fourth public key to the first user;at the first user: applying a group component of a first element of thesecond public key on a non-group component of the first private key toproduce to produce a fifth result; applying the function to the fifthresult to produce a fifth modified result; multiplying a non-groupcomponent of the first element of the second public key by the fifthmodified result to produce a fifth further modified result; multiplyingthe group component of the first element of the second public key with agroup component of the first generator of the first private key toproduce a fifth still further modified result; combining the fifthfurther modified result with the fifth still further modified result toproduce a first secret key; k. applying a group component of the firstsecret key on a non-group component of a second generator of the firstprivate key to produce a sixth result; l. applying the function to thesixth result to produce a sixth modified result; m. multiplying anon-group component of the first secret key by the sixth modified resultto produce a sixth further modified result; n. multiplying the groupcomponent of the first secret key with a group component of the secondgenerator of the first private key to produce a sixth still furthermodified result; and o. combining the sixth further modified result withthe sixth still further modified result to produce a second secret key.12. The method as recited in claim 11, further comprising repeatingsteps a through e for all generators of the first private key.
 13. Themethod as recited in claim 12, further comprising repeating steps fthrough j for all generators of the second private key.
 14. The methodas recited in claim 13, further comprising repeating steps k through ofor all generators of the first private key.
 15. The method as recitedin claim 12, further comprising encrypting a message using, at least inpart, the second secret key.
 16. A transmitter comprising: a memoryincluding a first submonoid, the first submonoid being produced by:selecting a first monoid; selecting a second monoid; selecting afunction, the (unction being a monoid homomorphism that maps the firstmonoid to the second monoid; selecting a group; selecting an action ofthe group on the first monoid; and determining a semi-direct product ofthe first monoid and the group to produce a third monoid; selecting afirst and second submonoid of the third monoid, the pair of the firstand second submonoids satisfying a criterion, the first submonoid beingdefined by a first set of generators, the criterion satisfying aproperty determined by the function, a structure of the first and secondmonoids, and the action; and a processor; wherein the processor iseffective to select a plurality of generators of the first set ofgenerators to produce a private key; the processor is effective to applythe second component of an identity on a non-group component of a firstgenerator of the private key to produce a result, wherein the identitycomprises a first component, the first component being an identity ofthe second monoid, and the identity comprises a second component, thesecond component being an identity of the group; the processor iseffective to apply the function to the result to produce a firstmodified result; the processor is effective to multiply the firstcomponent of the identity by the modified result to produce a firstfurther modified result; the processor is effective to multiply thesecond component of the identity with a group component of the firstgenerator to produce a first still further modified result; and theprocessor is effective to combine the first further modified result withthe first still further modified result to produce a first public key;the processor is effective to: a. apply a group component of the firstpublic key on a non-group component of a second generator of the privatekey to produce a second result; b. apply the function to the secondresult to produce a second modified result; c. multiply a non-groupcomponent of the first public key by the second modified result toproduce a second further modified result; d. multiply the groupcomponent of the first public key with a group component of the secondgenerator of the private key to produce second still further modifiedresult; and e. combine the first further modified result with the secondstill further modified result to produce a second public key.
 17. Thetransmitter as recited in claim 16, wherein the processor is furthereffective to iteratively perform a through e for all the generators inthe first private key.
 18. A system for securing communications betweenusers, the system comprising: a communications center, thecommunications center effective to: select a first monoid; select asecond monoid; select a function, the function being a monoidhomomorphism that maps the first monoid to the second monoid; select agroup; select an action of the group on the first monoid; determine afirst semi-direct product of the first monoid and the group to produce athird monoid; and select a first and second submonoid of the thirdmonoid, a pair of the first and second submonoids satisfying acriterion, the first submonoid being defined by a first set ofgenerators, the second submonoid being defined by a second set ofgenerators, the criterion satisfying a property determined by thefunction, a structure of the first and second monoids, and the action; afirst transmitter comprising: a memory including the first submonoid; afirst processor, the first processor effective to: select a plurality ofgenerators of the first set of generators to produce a first privatekey; apply the second component of an identity on a non-group componentof a first generator of the first private key to produce a first result,wherein the identity comprises a first component, the first componentbeing an identity of the second monoid, and the identity comprises asecond component, the second component being an identity of the group;apply the function to the first result to produce a first modifiedresult; multiply the first component of the identity by the modifiedresult to produce a first further modified result; multiply the secondcomponent of the identity with a group component of the first generatorto produce a first still further modified result; and combine the firstfurther modified result with the first still further modified result toproduce a first public key; the first processor is further effective to:a. apply a group component of the first public key on a non-groupcomponent of a second generator of the private key to produce a secondresult; b. apply the function to the second result to produce a secondmodified result; c. multiply a non-group component of the first publickey by the second modified result to produce a second further modifiedresult; d. multiply the group component of the first public key with agroup component of the second generator of the first private key toproduce second still further modified result; and e. combine the firstfurther modified result with the second still further modified result toproduce a second public key; a second transmitter comprising: a memoryincluding the second submonoid; a second processor, the second processoreffective to select a plurality of generators of the second set ofgenerators to produce a second private key; apply the second componentof the identity on a non-group component of a first generator of thesecond private key to produce a third result, apply the function to thethird result to produce a third modified result; multiply the firstcomponent of the identity by the third modified result to produce athird further modified result; multiply the second component of theidentity with a group component of the second generator to produce athird still further modified result; combine the third further modifiedresult with the third still further modified result to produce a thirdpublic key; the second processor is further effective to: f. apply agroup component of the third public key on a non-group component of asecond generator of the second private key to produce a fourth result;g. apply the function to the fourth result to produce a fourth modifiedresult; h. multiply a non-group component of the first public key by thefourth modified result to produce a fourth further modified result; i.multiply the group component of the third public key with a groupcomponent of the second generator of the second private key to producefourth still further modified result; and j. combine the fourth furthermodified result with the fourth still further modified result to producea fourth public key.
 19. The system as recited in claim 18, wherein: thesecond processor is further effective to forward the fourth public keyto the first processor; and the first processor is further effective to:apply a group component of a first element of the fourth public key on anon-group component of the first private key to produce a fifth result;apply the function to the fifth result to produce a fifth modifiedresult; multiply a non-group component of the first element of thefourth public key by the fifth modified result to produce a fifthfurther modified result; multiply the group component of the fourthpublic key with a group component of the first generator of the firstprivate key to produce a fifth still further modified result; andcombine the fifth further modified result with the fifth still furthermodified result to produce a first secret key; k. apply a groupcomponent of the first secret key on a non-group component of a secondgenerator of the first private key to produce a sixth result; l. applythe function to the sixth result to produce a sixth modified result; m.multiply a non-group component of the first secret key by the sixthmodified result to produce a sixth further modified result; n.multiplying the group component of the first secret key with a groupcomponent of the second generator of the private key to produce a sixthstill further modified result; and o. combining the sixth furthermodified result with the sixth still further modified result to producea second secret key.
 20. The system as recited in claim 19, furthercomprising repeating steps a through e for all generators of the firstprivate key.
 21. The system as recited in claim 20, further comprisingrepeating steps f through j for all generators of the second privatekey.
 22. The system as recited in claim 21, further comprising repeatingsteps k through o for all generators of the first private key.
 23. Thesystem as recited in claim 22, further comprising encrypting a messageusing, at least in part, the second secret key.